Three companies and leaders who think differently about security: Deep Instinct, most innovative startup; Vectra, most innovative emerging company; Paul Vixie, most innovative thought leader.
Dark Reading this year is launching a new annual awards program, the Best of Black Hat Awards, which recognizes innovative companies and business leaders on the conference’s exhibit floor.
The 2016 Dark Reading Best of Black Hat Awards recognize three categories of achievement: the Most Innovative Startup, which cites companies that have been in the industry for three years or less; the Most Innovative Emerging Company, which cites companies that have been operating for three to five years; and the Most Innovative Thought Leader, which recognizes individuals from exhibiting companies who are changing the way the industry thinks about security.
These new awards, chosen by the editors of Dark Reading, are not an endorsement of any product, but are designed to recognize innovative technology ideas and new thinking in the security arena.In future years, Dark Reading hopes to expand the awards program to recognize new products in different categories, as well as more individuals who are making a difference in the way we think about security.
Most Innovative Startup: Deep InstinctThe finalists for our Most Innovative Startup Award are Deep Instinct, which is driving past machine learning with an artificial intelligence concept called deep learning; Phantom, a security orchestration tool that provides a layer of connective tissue between existing security products; and SafeBreach, which provides a hacker’s view of enterprise security posture.
The winner is: Deep Instinct. Here’s what our judges wrote about Deep Instinct:
“This was not an easy decision—each of the finalists, Phantom, Deep Instinct, and SafeBreach, bring really intriguing and useful technology to the security problem.
In the end, we selected Deep Instinct as the Most Innovative Startup. Here’s why: the concept of a cerebral system to detect malware and malicious activity at the point of entry in real-time and quashing it then and there solves many of the other security problems down the line.If the tool can catch the malware when it hits the endpoint, a security pro theoretically wouldn’t need to check out security alerts, correlate them among various security tools and threat intel feeds, and then take the appropriate action (sometimes too late).

And unlike traditional antivirus, this technology looks at all types of threats, not just known malware, which of course is key today given the polymorphic nature of malware.
We considered Deep Instinct’s approach of automatically stopping a threat at the endpoint, where it first comes in, using software that can on its own understand that it’s a threat and continuously learn about threats as unique and promising for security organizations.

Deep learning is the next stage of machine learning, mimicking the brain’s ability to learn and make decisions, and Deep Instinct is the first company to apply this type of artificial intelligence to cybersecurity, which also made it a top choice.
In addition, benchmark tests of Deep Instinct’s technology indicate a high degree of accuracy in detecting malware, at 99.2%.

And unlike some endpoint security approaches, it occurs locally and there’s no sandbox or kicking it to the cloud for additional analysis.”
Most Innovative Emerging Company: VectraThe three finalists for our Most Innovative Emerging Company are SentinelOne, which combines behavioral-based inspection of endpoint system security processes with machine learning; Vectra, which offers real-time detection of in-progress cyber attacks and helps prioritize the attacks based on business priority; and ZeroFOX, which monitors social media to help protect against phishing attacks and account compromise.
And the winner is: Vectra. Here’s what our judges wrote about Vectra:
“It was a tough choice, but in the end, we selected Vectra, because it addressed several of security professionals’ most persistent challenges, with solutions that were both inventive and practical.
Infosec pros are inundated with alerts about threats. Whether those warnings come from media reports, newsletters, or one of many pieces of security technology, it’s often hard to prioritize them. Maybe it was declared “critical,” but is it critical to me? Maybe it was “medium,” but is it critical to me? Infosec pros have attackers dwelling on their networks for many, many months, largely because security teams cannot quickly make sense of all this threat data.

And infosec pros try to solve problems faster by adding new security technology that can sometimes put a huge strain on the network.
We chose Vectra as the winner, because their solution helps prioritize threats for your organization specifically, can reduce attacker dwell time, and do so with a lightweight solution.
Vectra’s tool tunes into all an organization’s internal network communications, and then, using a combination of machine learning, behavior analysis, and data science will identify threats, correlate them to the targeted endpoint, provide context, and prioritize threats accordingly -- as they relate to your organization.Vectra can detect things like internal reconnaissance, lateral movement, botnet monetization, data exfiltration and other malicious or potentially malicious activities throughout the kill chain.
Most importantly, Vectra’s tool allows security teams to identify their most important assets, so that the tool will know to push even a gentle nudge at those systems to the top of the priority list.
With just a glance at the simple, elegant visualization used by Vectra’s threat certainty index, an infosec pro will know in moments what precise endpoint needs their attention first.”
Most Innovative Thought Leader: Paul VixieThe three finalists for our Most Innovative Thought Leader are Krishna Narayanaswamy, Chief Scientist and Co-Founder of Netskope, Inc., a top specialist in cloud security; Dr. Paul Vixie, Chairman, CEO, and Co-Founder of Farsight Security Inc., a leader in DNS and Internet security; and Jeff Williams, Chief Technology Officer and Co-Founder of Contrast Security, who focuses on application security.
And the winner is: Paul Vixie, Farsight Security. Here’s what our judges wrote about Paul:
“This was perhaps the most difficult choice we had to make in the awards, because all three of these individuals are thought leaders and difference-makers in their own fields of security.

Each of them is a contributor not only to innovation in his own company, but to the industry at large.
In the end, we chose Paul Vixie, at least in part, because he likes to work and research and innovate in areas where few others are working.

The world of Domain Name Systems often seems impenetrable even to security experts, yet it is an essential element to the global Internet and, potentially, a huge set of vulnerabilities that could affect everyone who works and plays online.
In the last year or so, Paul has taken some of the lessons he’s learned about DNS and the way the internet works and built Farsight Security, which collects and processes more than 200,000 observations per second to help security operations centers and incident response teams more quickly identify threats.It works by analyzing DNS, which is a fundamental technology that the bad guys have to use, just as the good guys do.

And while Farsight is not the only company working in the DNS security space, it has developed new methods of analyzing and processing the data so that enterprises can make better use of relevant information.
Paul doesn’t stop with the work he is doing at his own company.

As a longtime contributor to internet standards on DNS and related issues, he continues to participate in a variety of efforts, including source address validation; the OpSec Trust initiative, which is building a trusted, vetted security community for sharing information, and internet governance, including the controversial discussion around route name service.
While all three of our finalists are deserving of special recognition, we feel that Paul Vixie’s contributions to innovation at his company, to enterprise security, and to internet security worldwide earn him this award.”
Our congratulations to all of this year’s Dark Reading Best of Black Hat Awards winners!
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ...View Full Bio
More Insights

It's not cool to kill a demo, but you can watch all the pr0n you want
Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network.
The two friends, veterans among a team of two dozen, are at the time of writing knee deep in the task of running the network at Black Hat, the security event where the world reveals the latest security messes.
The event kicks off with three days of training, then unleashes tempered anarchy as the conference proper gets under way.
Wyler, better known as Grifter (@grifter801), heads the network operations centre (NoC) at Black Hat, an event he has loved since he was 12 years old. “I literally grew up among the community,” he says.
Bart (@stumper55) shares the job.
Wyler's day job is working for RSA's incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status. Wyler has worked with Black Hat for 14 years and DEF CON for 17 years, while Stump has chalked up nine years with both hacker meets.
Together with an army of capable network engineers and hackers they operate one of the few hacker conference networks that delegates and journalists are officially advised to avoid.
Rightly so; over the next week the world’s talented hacker contingent will flood Las Vegas for Black Hat and DEF CON, the biggest infosec party week of the year.

The diverse talents – and ethics – of the attending masses render everything from local ATMs to medical implants potentially hostile and not-to-be-trusted.
Some 23 network and security types represent the network operations centre (NoC) and are responsible for policing the Black Hat network they help create.

Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.
“We will sit back and monitor attacks as they happen," Wyler tells The Register from his home in the US. "It's not your average security job."
The Black Hat NoC.Image: supplied.
The crew operates with conference din as a background, sometimes due to cheers as speakers pull off showy hacks or offer impressive technical demos in rotating shifts.In the NoC, some laugh, some sleep, and all work in a pitch broken by the glow of LEDs and computer screens.

Their score is a backdrop of crunching cheese Nachos, old hacker movies, and electronic music.
"Picture it in the movies, and that's what it's like," Stump says, commiserating with your Australia-based scribe's Vegas absence; "it'll be quite a sight, you'll be missing something".
Delegates need not.

The NoC will again be housed in The Fish Bowl, a glass den housing the crew and mascots Lyle the stuffed ape and Helga the inflatable sheep.

Delegates are welcome to gawk.
Risky click
The NoC operators at Black Hat and DEF CON need to check their defensive reflexes at the door in part to allow a user base consisting almost entirely of hackers to pull pranks and spar, and in part to allow presenters to legitimately demonstrate the black arts of malware.
When you see traffic like that, you immediately go into mitigation mode to respond to that threat," Wyler says. "Black Hat is a very interesting network because you can't do that - we have to ask if we are about to ruin some guy's demonstration on stage in front of 4000 people".
Stump recalls intruding on a training session in a bid to claim the scalp of a Black Hat found slinging the infamous Zeus banking trojan. "The presenter says 'it's all good, we are just sending it up to AWS for our labs' and we had a laugh; I couldn't take the normal security approach and simply block crazy shit like this."
Flipping malware will get you noticed and monitored by one of the NoC's eager operators who will watch to see if things escalate beyond what's expected of a normal demonstration.
If legitimate attacks are seeping out of a training room, the sight of Wyler, Stump, or any other NoC cop wordlessly entering with a walkie-talkie clipped to hip and a laptop under arm is enough for the Black Hat activity to cease. "It is part of the fun for us," Wyler says. "Being able to track attacks to a location and have a chat."
Targeting the Black Hat network itself will immediately anger the NoC, however.
The team has found all manner of malware pinging command and control servers over its network, some intentional, and some from unwittingly infected delegates. "We'll burst in and say anyone who's MAC address ends with this, clean up your machine," Stump says.
$4000 smut-fest
Training is by far the most expensive part of a hacker conference. Of the 71 training sessions running over the weekend past ahead of the Black Hat main conference, each cost between US$2500 (£1887, A$3287) and US$5300 (£4000, A$6966) with many students having the charge covered by generous bosses.
Bart and the blow up doll cameo on CNN Money.
So it was to this writer's initial incredulity that most of the sea of "weird porn" flowing through the Black Hat pipes stems from randy training students. "It is more than it should ever be," Wyler says of the Vegas con's porn obsession. "While you are at a training class - I mean it's not even during lunch."
The titillating tidbit was noticed when one NoC cop hacked together a script to pull and project random images from the network traffic on Fish Bowl monitors.

A barrage of flesh sent the shocked operators into laughing fits of ALT-TAB.

Another moment was captured when Stump was filmed for on CNN Money and a shopper's blow up doll appeared with perfect timing.
Balancing act
Black Hat's NoC started as an effective but hacked-together effort by a group of friends just ahead of the conference.

Think Security Onion, intrusion detection running on Kali, and Openbsd boxes.
Now they have brought on security and network muscle, some recruited from a cruise through the expo floor, including two one-gigabit pipes from CenturyLink with both running about 600Mbps on each. "We were used to being a group of friends hanging out where a lot of stuff happened on site, and now we've brought in outsiders," Stump says.
Ruckus Wireless, Fortinet, RSA and CenturyLink are now some of the vendors that help cater to Black Hat's more than 70 independent networks. "It's shenanigans," Wyler says. "But we love it."
The pair do not and cannot work on the DEF CON networks since they are still being built during Black Hat, but they volunteer nonetheless leading and helping out with events, parties, and demo labs.I feel a responsibility to give back to the community which feeds me," Wyler says. "That's why we put in the late nights." ®
Sponsored: 2016 Cyberthreat defense report

Brazilian cybercriminals are clearly setting their sights on users of mobile banking, with a huge rise in incidents registered in the country over the last two years.In order to carry out these attacks they are using SMiShing (phishing via SMS) and registering new mobile phish domains created especially for this purpose.
In 2015, mobile banking usage in Brazil reached 11.2 billion transactions, an increase of 138% compared to the 4.7 billion transactions registered in 2014. Mobile banking is now the second most popular channel for accessing a bank account in the country – there are more than 33 million active accounts, according to the Brazilian Federation of Banks.Such numbers and the possibility of cheaply sending SMS messages are very attractive to cybercriminals, who are investing their time and effort to create new attacks.
Getting started doesn’t require that much money or preparation: first they need to register a domain (usually a .mobi domain), prepare a phishing page in mobile format, hire a bulk SMS service (as cheap as 2 cents per message sent, and generally paid for with a cloned credit card) and voilá! Getting the telephone numbers of the victims isn’t a problem either: huge databases of mobile numbers can easily be purchased on the Brazilian underground, or can be captured in attacks using WhatsApp as bait.

The SMiShing messages inform recipients about a credit card or a bank account that has supposedly been blocked, and always include a link:
“Your data is outdated, your account may be blocked. Please update at <phish URL>” – an SMiShing message sent by phishers
Why target users of mobile banking? Because it’s easier to hack a bank account when accessed from a mobile terminal instead of a desktop. We’ve listed some of the reasons for that below:
No protection: most smartphone users in Brazil still don’t use a dedicated AV on their phones.

A survey performed by B2B International in 2015 showed only 56% of smartphone owners around the world do so.
No security plugins: unlike desktops, most banks still don’t require the installation of a security plugin on user devices, despite most banks offering dedicated access via their mobile apps.

Furthermore, fake mobile banking apps from Brazilian banks have also been found in the Play Store. When a criminal decides to phish a mobile banking user, it’s more effective if the attack is compatible with any mobile browser.
Simple authentication: most Brazilian banks use very simple authentication on mobile devices, usually just asking for the account number and a six-digit password.
Common SMS usage: it’s very common for banks in Brazil to send notifications via SMS. When you buy something or withdraw money for your account, you’ll receive an SMS confirming the operation.

This approach has allowed Brazilian banks to decrease the number of fraud cases, in particular, this is because customers are aware of any fraud involving their credit cards or bank accounts as soon as it starts.

Confusing a SMiShing message with a legit SMS from your bank is very easy.
The mobile versions of these phishing banking websites open correctly in the browser, facilitating the theft of user credentials.

The phishers’ tactic is to force the user to access the website via their mobile devices, and not from a desktop.If the victim tries to access the phishing domain using their computer, the following message displayed:
“Service unavailable for desktops, only for mobile devices”
The phishing domain only shows its full content when access is made via a mobile browser:
The cybercriminals create phishing pages for several banks, in an array of colors and styles:
Most of the domains used in these attacks are using the .mobi TLD:
We published a list of some of the domains we found here (if you’re an AV guy, block them!).
It’s important to highlight one other thing: if access is made from an IP outside of Brazil, some domains will display nothing.It’s a method used by Brazilian phishers to keep their attacks alive for as long as possible, because if you don’t see it, you won’t block the domain. Users of our products, including the Safe Browser for iOS, Windows Phone, Android and Fraud Prevention solutions are protected against mobile phishing and SMiShing attacks.

Even if you can't physically be at Black Hat USA 2016, Dark Reading offers a virtual alternative to engage with presenters about hot show topics and trends.
Couldn’t make the trip? Not to worry.

Dark Reading editors over the last few weeks have interviewed key Black Hat figures and presenters to give you a taste of the show in two pre-recorded Dark Reading Radio episodes to be broadcast Wednesday Aug 3 and Thursday Aug 4.
Here’s the lineup:
Dark Reading Radio at Black Hat 2016, Episode 1:Date/Time: Wednesday, August 03, 2016, 1:00 p.m. New York / 10:00 a.m. Las VegasGuests: Black Hat General Manager Steve Wylie & Bugcrowd Senior Director of Researcher Operations Kymberlee Price
In this episode, Editor In Chief Tim Wilson talks with Black Hat General Manager Steve Wylie about the many programs and sessions being offered at this week’s Black Hat USA conference, highlighting some of the show’s most important keynote adresses, hot topics in the briefings, and new programs built around security careers and startup companies. He also tells Tim what makes Black Hat a different type of information security event – from in-depth training to social functions that bring security pros together.
In the second segment of the radio show, Kymberlee Price, give yours truly a behind the scenes look at how to build a security incident response team using crowd sourcing. Kymberlee is senior director of researcher operations at Bugcrowd.She’ll be offering some takeaways and tips from her Black Hat 16 briefing Building a Product Security Incident Response Team: Learnings from the Hivemind, which she is presenting this week at the Mandalay Bay in Las Vegas.
Dark Reading Radio at Black Hat 2016, Episode 2Date/Time: Thursday, August 04, 2016, 1:00 p.m. New York / 10:00 a.m. Las VegasGuests: Wesley McGrew, Director of Cyber Operations at Horne Cyber & Konstantin Berlin, Senior Research Engineer at Invincea Labs
In this special episode of Dark Reading Radio, Executive Editor Kelly Jackson Higgins talks to Wesley McGrew, director of cyber operations at Horne Cyber, about his research on hacking penetration testers, "Secure Penetration Testing Operations: Demonstrated Weaknesses In Learning Material And Tools." McGrew over the past few years has been examining vulnerabilities and security weaknesses in penetration testing tools, processes, and practices, and will release his homegrown Snagterpreter tool at Black Hat that allows an attacker to hijack, monitor, and alter traffic between the pen tester and his or her target/client.
Capping things off, is Sara Peters interview with Konstantin Berlin, senior research engineer at Invincea Labs.

Berlin hones in one of the key cybersecurity promises of machine learning (particularly "deep learning") for security analysis, with a focus on how to take give organizations more information about unfamiliar code than simply "it's benign" or "it's malicious." His talk is, "An AI Approach To Malware Similarity Analysis: Mapping The Malware Genome with a Deep Neural Network."
Hope you to see you in the radio studio on Wednesday and Thursday.

And if you can't make it this week, you can view the show in our archives at your convenience. (Registration is Required.)
Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ...View Full Bio
More Insights

Cybersecurity experts to head event during the ongoing Black Hat hacker conference this week.
Plagued by cybersecurity problems throughout its presidential campaign, Democratic nominee Hillary Clinton’s campaign will now be hosting a cybersecurity-themed charity event at Las Vegas this week, during the ongoing Black Hat cybersecurity conference, reports FedScoop.
Heading the fundraiser panel will be Black Hat founder Jeff Moss, Harvard University professor Michael Sulmeyer, who heads Clinton’s cyber policy working group, and Cambridge Global Advisors chief Jake Braun, also strategic advisor to Department of Homeland Security and Pentagon on cybersecurity issues.
Going by their experience in digital security, it is likely that Sulmeyer and Braun could find themselves with information protection responsibilities in the next administration, says FedScoop.
The fundraiser comes close on the heels of a Clinton campaign breach in which the analytics data program it uses was compromised during the DNC hack.
For more details, click here.
Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.View Full Bio
More Insights

Endpoint detection response is helping take the headache out of responding to threats by providing visibility where most organizations are blind.
Endpoint detection and response (EDR) is much more than a next-generation endpoint capability, it is a driving force of evolutionary change within security operations centers (SOC) today.

EDR provides visibility where most organizations are blind.In our network-centric world, EDR provides a fast path to endpoint context, enabling rapid identification of false positives or the origin of attacks.
To illustrate this point, I created a litmus test to review common limitations in security information and event management (SIEM) and threat monitoring today.

Because most SIEM have insufficient endpoint data, threat analysts struggle to answer even the most fundamental questions, such as:
Is the attack targeting a critical, sensitive, or regulated asset?
Does the identified exploit target the right operating system or application?
Nor the more complex questions such as:
What process executed a connection to the known malicious IP or URL?
What occurred following the successful inbound attack?
Life without EDR
For organizations without EDR, researching and responding to threats is a maddening exercise. With limited access to endpoints or endpoint context, threat analysts -- particularly in large enterprise or managed security service provider (MSSP) -- have few choices other than to open a ticket and delegate the research to others with access to the targeted machine.
The stakeholder could be in another department or region.

For MSSPs, this is the heartbeat of communication between the SOC and customers under attack.

Tickets may be answered quickly but a large majority take days and weeks.Some aren’t answered at all.In fact, due to the substantial delays incurred, special tools have been created to address the hold up.
One such tool is called alert suppression. Using alert suppression, mature SOCs can hide repetitive alerts waiting for information requested from stakeholders.
Another technique is to auto notify and close tickets without response.
Last but not least, it’s often easier to simply re-image the machine than to investigate root cause.
This is the average day to day of threat analysts in the SOC.It’s not sexy, nor is it cost effective. Repeated tens (if not hundreds) of times on a daily or weekly basis drives up organizational costs to an unsupportable level. When I hear people say: “I can’t afford to build or staff a SOC,” it’s not surprising given the status quo. Manual and human intensive tasks give security a bad name.

This is life without EDR.
Life with EDR
The introduction of EDR is a major evolution in SOC effectiveness.

Threat analysts no longer need to ask others to validate threats, the data is available to real-time query. With immediate access to the data, three incredible things happen:
The SOC Analyst can research and respond to alerts in rapid succession, dramatically increasing their workload.
Armed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2.
By eliminating the high volume of tickets requesting context, MSSP customers or stakeholders of large enterprise are relieved of the deluge of inquiries.
Inevitably, a breach will occur. When that does happen, utilizing a best-in-class EDR vendor that includes continuous and centralized recording takes the guesswork out of incident response.

The attacker may have erased their tracks, but EDR recorded the attackers every move with an endpoint DVR, the cyber equivalent to a surveillance camera. With a complete historical recording of an attacker and their actions, incident responders don’t need to fly to the scene of the crime, scrape RAM, or image machines to look for clues.

The full recorded history of the attack enables on the spot incident response.
EDR is much more than an endpoint security product; it’s causing an evolution in the people and process utilized within security operation centers globally.

And for individual corporations or customers who rely on MSSPs to deliver skills and expertise, EDR is a fundamental technology that is not optional. It’s a foundational requirement of the next generation security operation center and primary reason we’ll collapse the average ~250 day gap between attack initiation and discovery.
John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ...View Full Bio
More Insights

Q2 events
DDoS attacks on cryptocurrency wallet services have played an important role in the lives of these services.In the second quarter of 2016, two companies – CoinWallet and Coinkite – announced they were terminating their work due to lengthy DDoS attacks.

According to Coinkite’s official blog, the e-wallet service will be shut down, as well as its API.

The company admits that the decision was largely due to constant attacks and pressure from various governments who want to regulate cryptocurrency.
A piece of malware was detected that possesses worm functionality and builds a botnet of Linux-based routers (including Wi-Fi access points).It spreads via Telnet.

An analysis of the worm’s code has shown that it can be used in various types of DDoS attacks.
Experts have registered a growing number of botnet C&C servers operating based on LizardStresser – a tool used to perform DDoS attacks.

The LizardStresser source codes belong to the hacker group Lizard Squad and were made publically available at the end of 2015.

This is what led to the increase in the number of botnets using new versions of the tool.
Researchers discovered a botnet consisting of 25 000 devices most of which are surveillance cameras.

According to the experts, 46% of the infected devices are CCTV systems H.264 DVR.

The other compromised devices were manufactured by ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV.
A new botnet named Jaku located mainly in Japan and South Korea was detected. Researchers have stated that the botnet operators are focused on major targets: engineering companies, international organizations, scientific institutions.
A new modification of Cerber ransomware that uses an infected device to carry out DDoS attacks was discovered.

This cryptor Trojan is responsible for sending the UDP packets in which it changes the sender address for the address of the victim.

A host that receives the packet sends a reply to the victim’s address.

This technique is used to organize a UDP flood, meaning that this Trojan, in addition to its basic ransomware functionality, also integrates the functionality of a DDoS bot.
Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity.

The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
Resources in 70 countries were targeted by DDoS attacks in Q2 2016 #KLReport
Tweet
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the second quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours.If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack.

Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses.In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
77.4% of targeted resources in Q2 2016 were located in China #KLReport
Tweet
It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab.It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.
Q2 Summary
Resources in 70 countries were targeted by DDoS attacks in Q2 2016.
77.4% of targeted resources were located in China.
China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets.
The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.

The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter.
In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter.
Geography of attacks
In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks.In fact, 97.3% of the targeted resources were located in just 10 countries.

The three most targeted countries remained unchanged – China, South Korea and the US.
Distribution of DDoS attacks by country, Q1 2016 vs. Q2 2016
This quarter’s statistics show that 94.3% of attacks had unique targets within the 10 most targeted countries.
Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q2 2016
Here too China was the leader: 71.3% of all DDoS attacks targeted unique resources located in the country (vs. 49.7% in Q1).
In Q2 2016 China, South Korea and the US remained leaders in terms of the number of DDoS attacks #KLReport
Tweet
The growth in the proportion of attacks on Chinese resources resulted in a decline in the share of attacks on resources in the other TOP 10 countries: South Korea saw its share fall by 15.5 percentage points, while the contribution of the US fell by 0.7 p.p.
Russia left the TOP 5 after its share decreased by 1.3 p.p.Vietnam took Russia’s place after its share remained unchanged (1.1%).

Germany and Canada both left the TOP 10 and were replaced by France and the Netherlands on 0.9% and 0.5% respectively.
Changes in DDoS attack numbers
DDoS activity was relatively uneven in Q2 2016, with a lull from late April till the end of May and two sharp peaks on 29 May and 2 June.

The peak number of attacks in one day was 1,676, recorded on 6 June.
Number of DDoS attacks over time* in Q2 2016*DDoS attacks may last for several days.In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) #KLReport
Tweet
An analysis of the data for the first half of 2016 shows that although the distribution of DDoS attack numbers by day of the week remains uneven, a steady upward trend is evident.
Number of DDoS attacks, Q1 2016 – Q2 2016
In Q2, Tuesday was the most active day of the week for DDoS attacks (15.2% of attacks), followed by Monday (15.0%).

Thursday, which came second in Q1, fell one place (-1.4 p.p.).Sunday became the quietest day of the week in terms of DDoS attacks (13.0%).
Distribution of DDoS attack numbers by day of the week
Types and duration of DDoS attacks
The ranking of the most popular attack methods remained unchanged from the previous quarter.

The SYN DDoS method has further strengthened its position as leader: its share increased from 54.9% to 76%.

The proportion of the other types of attacks decreased slightly except for UDP DDoS whose contribution grew by 0.7 p.p. However, those little fluctuations did not affect the order of the Top 5.
Distribution of DDoS attacks by type
The growth in the popularity of SYN-DDoS is largely down to the fact that during the second quarter of 2016, 70.2% of all detected attacks came from Linux botnets.

This was the first time in a number of quarters that there has been such an imbalance between the activity of Linux- and Windows-based DDoS bots. Previously, the difference had not exceeded 10 percentage points. Namely Linux bots are the most appropriate tool for using SYN-DDoS.
Correlation between attacks launched from Windows and Linux botnets
Attacks that last no more than four hours remained the most popular, although their share decreased from 67.8% in Q1 to 59.8% in Q2 of 2016.

At the same time, the proportion of longer attacks increased considerably – attacks that lasted 20-49 hours accounted for 8.6% (vs. 3.9% in the first quarter) and those that lasted 50-99 hours accounted for 4% (vs. 0.8% in the previous quarter).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios in Q2 2016 #KLReport
Tweet
The longest DDoS attack in the second quarter of 2016 lasted for 291 hours, which significantly exceeded the Q1 maximum of 197 hours.
Distribution of DDoS attacks by duration (hours)
C&C servers and botnet types
In Q2, South Korea remained the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 69.6%, a 2 p.p. increase from the first quarter of 2016.

The TOP 3 countries hosting the most C&C servers (84.8%) remained unchanged, while Brazil (2.3%), Italy (1%) and Israel (1%) all entered the TOP 10.
Distribution of botnet C&C servers by country in Q2 2016
As in previous quarters, 99.5% of DDoS targets in Q2 2016 were attacked by bots belonging to one family.

Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.5% of cases.

The most popular families of the quarter were Xor, Yoyo and Nitol.
Conclusion
The second quarter of 2016 saw cybercriminals paying close attention to financial institutions working with cryptocurrency.Several of these organizations cited DDoS attacks as the reason for ceasing their activities.Intense competition leads to the use of unfair methods, one of which is the use of DDoS attacks.

A strong interest on the part of the attackers is due to a particular feature of the businesses involved in processing cryptocurrency – not everyone is happy about the lack of regulation when it comes to cryptocurrency turnover.
In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets #KLReport
Tweet
Another trend is the use of vulnerable IoT devices in botnets to launch DDoS attacks.In one of our earlier reports, we wrote about the emergence of a botnet consisting of CCTV cameras; the second quarter of 2016 saw a certain amount of interest in these devices among botnet organizers.It is possible that by the end of this year the world will have heard about some even more “exotic” botnets, including vulnerable IoT devices.

SECURITY OUTFIT PROOFPOINT has made its point again and uncovered a thing called AdGholas which it warned is a pretty damn significant malvertising campaign.
The firm has already smashed the campaign into the ground, thanks to work with service providers and fellow security company Trend Micro.
The campaign was used by three groups, and a number of websites were affected by the placement of infected adverts.

A Proofpoint blog post explained that victims included the Belfast Telegraph and a French hotel.
"Proofpoint researchers have discovered and analysed a massive malvertising network operating since 2015, run by a threat actor we designated as AdGholas and pulling in as many as one million client machines per day," the firm said.
"This malvertising operation infected thousands of victims every day using a combination of techniques including sophisticated filtering and steganography, as analysed by fellow researchers at Trend Micro.
"While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising."
Proofpoint does a lot of this sort of thing, and just recently cast a dark light over Pokémon.
AdGholas might seem like any other old malvertising whack but is a bit of a pioneer in that it is first such campaign to use stenography in drive-by malware attacks.
"This campaign represents the first documented use of steganography in a drive-by malware campaign, and the attacks employed ‘informational disclosure' bugs perceived to be low risk to stay below the radar of vendors and researchers," Proofpoint said.
AdGholas even used evasive tactics to avoid discovery and suspicion, and redirected or mimicked legitimate sites when under close inspection.

And it did all this undetected for over a bloody year.
We guess the lesson here is to trust in security companies and don't click on links that don't look kosher.

'Entirely comfortable paying money to criminals' grumbles infosec bod
A “ransomware guarantee” from security outfit SentinelOne has been dismissed by critics as a marketing stunt.
Ransomware is currently the biggest scourge of internet security, affecting corporates and consumers alike.
So self-styled next generation endpoint security firm SentinelOne unsurprisingly created waves with a pledge to pay out on ransomware demands if its product failed to protect customers from file-encrypting pathogens such as Locky and CryptXXX.
We believe it is time to stand behind what you sell. We have great technology, and we’re not afraid to back it.

Financially.
And apparently some of the top re-insurers in the world agree with us. We’ve created the first ever Ransomware Cyber Guarantee – a warranty for our product’s performance.It’ll give you the best protection from ransomware attacks – and if we miss something and you get infected – we’ll pay the ransom.
“SentinelOne’s cyber threat protection guarantee program provides its customers with financial support of $1,000 per endpoint, or up to $1m per company,” according to a press release the firm issued on Tuesday.
Anti-virus industry veteran Graham Cluley said the offer showed SentinelOne is willing to pay crooks if its tech doesn't work as advertised.
“SentinelOne says it's entirely comfortable paying money to criminals,” he said in a blog post.
“Of course it's a marketing stunt, but still one – I must admit – that leaves a strange taste in my mouth… couldn't SentinelOne have just offered to throw in a decent backup program?”
El Reg put this criticism to SentinelOne’s PR representatives on Thursday morning but we’re yet to receive any response.
SentinelOne raised hackles earlier this month by reporting it had discovered “SCADA” malware that had infected at least one European energy firm, before walking back on its claims after others questioned the ability of the malicious code it had identified to infect industrial control systems. ®
Sponsored: 2016 Cyberthreat defense report

A lot of hard work needs to go into effectively implementing an intelligence-driven security model.It starts with five critical factors.
Many organizations want to build a threat intelligence team but don’t really know where to start, let alone answer the question, what exactly is threat intelligence? The definition has been clouded by the industry over the last several years, even as vendors rush to build "intelligence"-based solutions. Without getting bogged down in the argument over what is -- and is not -- threat intelligence, let's discuss how an organization can build a team to effectively use intelligence to drive enterprise security. Here are five critical factors:
Factor 1: Establish an intelligence priorities framework. To effectively use intelligence, the organization must first establish and prioritize information they will need.

This can be accomplished by identifying intelligence gaps that exist, formulating requirements from the intelligence gaps, then organizing the requirements into categories that align with the organization.
For example, in a priority intelligence requirements (PIR) document, "P1" might map to what adversaries target my organization, underneath this, another requirement might be what nation-state adversaries target my organization.

This might be expressed as "P1.a." This structure allows the organization to maintain a centralized list of all intelligence requirements available for review on a regular basis.
Factor 2:Incorporate and consolidate intelligence sources. There are a wealth of different sources:
Technical sources include the SIEM, IDS, firewall, next-generation endpoint security platforms, and logs from any number of devices
Open Sources such as published vendor reports, any number of free feeds of indicators, vendor vulnerability lists (Microsoft, Apple, Adobe, etc), and media sources
Closed Sources may include community mailing lists, or organizations such as ISACs
Paid IntelligenceFeedsFactor 3: Map Your Intelligence Collection.

As new intelligence is collected from these sources, align them with the intelligence priorities defined in factor 1.

For example, public reports indicators associated with a known threat actor, might align to an intelligence requirement around targeted attacks. Memorialize that intelligence via an internal system: an email with the source, date, priority it maps to, the collected intelligence, and some analysis.Store the collected intelligence in a searchable repository.If possible, operationalize it by feeding into technical sensors then take the actionable information and apply to SIEM, create firewall block or logging event, create an IDS rule, or block the hash in the endpoint prevention system.
Factor 4: Find the best talent. Employing intelligence analysts who can review inbound intelligence and produce analysis germane to the organization is key.

As new intelligence is collected, someone needs to assess if it is significant to the organization, explain how it is significant, decide who it is significant for, and produce cogent analysis around scenarios in which it might be significant.
Entire libraries can be filled with books on proper analytic tradecraft, but training a SOC analyst to perform intelligence analysis can be very costly and time-consuming. Many technical experts operate in a binary world; something is either black or it is white.Intelligence analysts live in a grey world: they consider a myriad of states and can make assessments around the likelihood that something might happen, or cause a situation to change.

These analysts will employ concepts like alternative competing hypotheses (ACH) to handle multiple possibilities or outcomes.
Factor 5:Tailor The Finished Products To The Audience. Disseminating intelligence is a critical function of the intelligence team. Weekly or even daily products that convey the intelligence analyzed and collected over a discrete period of time allow the intelligence team to keep their internal customers abreast of the various things that are going on.Intelligence products should be tailored to the audience and contain information to help them be more effective.

For example, a product for the executive suite covering the attacks observed, upcoming events that may impact enterprise security, the latest relevant news pertaining to enterprise security, and intelligence assessments about things that may happen will go a long way in shaping an organization so that it is more proactive to threats.
Related Content:
Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field.

At CrowdStrike, Adam serves as the VP of ...View Full Bio
More Insights

(Image: CNET/CBS Interactive)
The total number of government requests for data on Amazon customers has doubled over the past year.
The retail and cloud giant quietly announced the latest figures for the first six months of 2016 ending June in a report,...

LS-ISAO is 'the fastest-growing' ISAO.
The Legal Services Information Sharing and Analysis Organization (LS-ISAO), which was founded less than a year ago, now has more than 100 members and is regarded the “fastest growing” ISAO, the group said this week.
The LS-ISAO was formed to share real-time cyber threat intelligence between members from the legal sector, which has become a popular target of cyberattackers, including nation-states and cybercriminals interested in pilfering information about law firm clients.
LS-ISAO faciltates discussions among member firms on cyber threat indicators, cross-community threat information, and phishing attack attempts on international law firms, as well as offers education resources via the FS-ISAC Summit.
“My firm considers the LS-ISAO to be the best opportunity to stay up-to-date with actionable security information," said Matt Kesner of Fenwick & West LLP.
Legal services firms wishing to join LS-ISAO may contact [email protected]
Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.View Full Bio
More Insights

CATEGORIES

Cyber Parse was created to provide knowledge to help everyone understand and deal with the ever increasing threats we all face by Cyber Crime (Malware, Social Engineering, Phishing and hacking).
Our purpose is to provide the right information to our readers by breaking down and communicating knowledge relating to Cyber Crime, Cyber Security, Information Security and Computer Security, then using Risk Management practices to help translate the technical aspects of the Risks, Threats, Vulnerabilities and controls to reduce the risk into business language.